NGO Security

Monday, August 27, 2007

Thuraya Sat Phone

If you or your organization are shopping for a new sat phone, check out Thuraya's SG-2520. Weighing only 170 grams, this is the smallest and lightest dual-mode sat phone on the market. It combines GSM (tri-band), GPS, GmPRS (sat Internet access), and traditional sat phone service within Thuraya's coverage area into one slick little package.

Tuesday, August 21, 2007

Abductions Rant

I want to talk about abductions for a minute. Not the most recent ones in Afghanistan that have been getting lots of press. No, I want to talk about the ones the media never gets wind of, and are what I consider to be one the humanitarian community's dirty little secrets.

Last month a member of a senior management team for a large NGO, organization and person will both remain nameless, was abducted; in a country that shall also remain nameless. This was the second employee abduction in that country over the past several years; both never made the news - the first was a national staff member, the most recent, an international staff member. Abductions have been at the top of the threat matrix for quite some time in this location and the country office has had a number of security officer visits, with lots of good assessments and trainings.

So, senior staff member gets snatched, a ransom is demanded, threats are made, there's lots of confusion about roles, responsibilities, and what to do (both at the country office and headquarters levels), staff member gets released after ransom is paid by the family (oh yes, our organization has a policy of never paying ransoms), staff member is released unharmed and everyone lives happily ever after. Right?

I don't think so. There are five points I want to raise about this incident and abductions in general.

1. Minimize the risk. I'm not privy to the after-action report for this particular incident (if indeed one was ever generated), but from preliminary reports it certainly sounded like said staff member was likely not following security policies when the incident took place. I'd love to see some statistics associated with aid workers who end up victims of violence. My guess is it would mirror stats from law enforcement and fire, where complacency and feelings of invulnerability start to erode vigilance after a number of years. With cops and firefighters, it's usually not the rookies who get in trouble, but more often the veterans with 5 to 7 years under their belts.

2. Establish and follow your contingency plans. You're working in a place where abductions are a big threat. You've already had one staff member kidnapped in the near past. You would think an organization would have a solid contingency plan in place that would run like clockwork if a similar incident happened again. It sure didn't seem like it in this case. Are unrehearsed, poorly executed or non-existent contingency plans in the best of interest of your staff? Especially the ones who become the victim of a security incident?

3. Do no harm. For this particular NGO, when the national staff member was abducted and a ransom was paid (again by the family, but with a bit of help from an office donation), it was hushed up. Other NGOs operating in the area eventually found out about it and were none too happy they weren't told or consulted. I talked to someone who commented, "Ka-ching! Need some quick money, just grab an aid worker." I don't know how widely known this latest abduction is, but knowing the humanitarian community, I'm guessing other organizations have heard about it through the grapevine by now. Yes, I know. Staff are a priority, so we had to do something. But in following the old "do no harm" mandate, those making the decisions would be wise to give some deep thought to the potential implications of how they choose to deal with an abduction.

4. Cost of doing business. Managers always cringe when I ask this question and start looking really uncomfortable. What's the cost of doing business? Is an occasional abduction OK? How about a murder? What about a rape? The military calls it acceptable losses. Humanitarian organizations don't like to think about it. What are the potential costs you're willing to incur to complete your mission? What will make you pull out? These questions should be addressed way before an incident occurs.

5. Don't cover it up. One of my biggest beefs in doing security work for the humanitarian sector is despite all of the talk of transparency, security incidents tend to get shoved underneath the carpet with alarming regularity. Organizations have become slaves to public relations. Oh my, what will our donors think? This is going to reflect badly on us if it gets out, because that staff member should have known better. Organizations have lost sight of the value of learning from the past. With many NGOs, information about security incidents is never even shared internally with field staff. How can you honestly say you are doing your best to minimize staff risk if you don't take the opportunity to use prior security incidents to teach people and real world case studies to reinforce points?

I'm a little cynical and think it will be business as usual when it comes to NGOs and abductions. That means ransoms paid, incidents hushed up, information not shared, and a lack of standardized coordination and cooperation in handling abductions when they do occur.

There's just no economic incentive at the present time to get most organizations to address these issues and rethink their approaches. Unfortunately, the only way I see this changing is a high-visibility lawsuit or two aimed at a deep-pockets NGO where a staff member died or got hurt in a security incident and the organization failed to demonstrate an adequate level of due diligence before, during or after the event.

Friday, August 10, 2007

Securing Google Services

If like many people, you use Google's Web-based services (Gmail, Google Calender, Google Reader, etc.), there's a simple step you can take to ensure private information doesn't leak out over the Internet. By using https:// instead of http:// when you use a Google service (for example, https://www.gmail.com), you create an encrypted Secure Sockets Layer (SSL) link between your computer and the Google server. This prevents plaintext information from easily being viewed by anyone who might be monitoring Internet traffic. Here's more information.

Tuesday, August 07, 2007

Tobias on Locks

Mark Weber Tobias is one of the leading experts in the field of locks and safes. His LSS+ (Locks, Safes and Security) CD is considered the definitive reference source on locks and security systems; with extensive detail on their strengths and weaknesses.

Last year Tobias made headlines by demonstrating how easy it is to pick Kwikset locks using a technique called bumping. He's in the news again, this time with a newly discovered way to bypass high-security Medeco locks. This is kind of a big deal, because up until now, Medeco locks have been considered as unpickable.

Wednesday, August 01, 2007

TSA Administrator Interview

Noted security guru Bruce Schneier is doing a five-part interview series with Kip Hawley, Administrator of the U.S Transportation Security Administration (TSA, the folks responsible for making you taking off your shoes at the airport, banning liquids, and all sorts of other acts of "security theater.") Bruce asks some hard questions and Hawley mostly ducks them with the standard "if you only knew what I knew" response. This is a great example of how security works at the government level and what you should avoid doing when practicing security for the humanitarian sector.

(P.S. - As of August 1, 2007, The NGO Security Blog is active once again, with limited postings as time permits.)